首先明白操作系统平台是Ubuntu 14.04 LTS
如今我们要在Ubuntu 14.04上部署snort NIDS(入侵检測系统)。
须要这些东西:
SNORT / Barnyard2 / Mysql / Apache2 / BASE
在进行全部工作之前,请运行下面命令,确保安装必要的软件(工具链)
sudo apt-get install -y build-essential libpcap0.8-devlibpcre3-dev libdumbnet-dev bison flex zlib1g-dev
SNORT
sudo apt-get install snort第二种是从源码安装。
sudo apt-get update
sudo apt-get upgrade
測试看看。运行:
snort -V假设显示出下面:
,,_ -*> Snort! <*- o" )~ Version 2.9.7.0 GRE (Build 149) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8
说明成功安装了!祝贺。
接着我们要改动snort的配置文件(注意我们使用的软件源方式,故配置文件路径较为固定)
sudo vim /etc/snort/snort.conf
将115行(大概位置)改动例如以下(假设一样的话则不改动)
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules目的在于指定规则文件存放的路径。
在第51行 :
ipvar HOME_NET 192.168.1.0/24
第536行。改动成例如以下所看到的 :
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
(假设文件本身就和我这里改动后的一样则不是必需改动)
如今启动測试SNORT :
sudo service snort restart删除之前日志中得内容(我们改变了日志格式,使用了时间戳格式)
sudo rm /var/log/snort/snort.log
(题外话:第51行不是必需改动,由于被/etc/snort/snort.debian.conf覆盖了)
如今我们要測试下snort的规则。
/etc/snort/rules是我们的用于存放规则文件的路径。以后snort就是依据诸多的规则文件给我们提供预警和提示。
打开规则文件:
sudo vim /etc/snort/rules/local.ruleslocal.rules是用于自己定义规则的规则文件。
然后加入自己的规则到local.rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;) alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002; rev:1;)这两条规则大概就是说不论什么发往本机的ICMP和HTTP数据包都会触发警告!
保存退出。
为了便于測试。继续改动snort.conf文件。
大概在573行的位置。作例如以下操作:
将除了local.rules之外的规则文件所有去除(不包括进来)。
(也就是接下来数十行的include)。
终于这样:
# site specific rules include $RULE_PATH/local.rules
(这是为了便于測试)
sudo snort -T -c /etc/snort/snort.conf
假设看到显示结果例如以下:
... Snort successfully validated the configuration! Snort exiting而且还能在诸多输出信息中找到例如以下输出:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +----------------------------------------------------------------------------
再次祝贺!规则成功载入。測试通过!
作了以上改动之后,以下開始真正的測试。
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0随后。你能够使用还有一台电脑或者开另外一个terminal使用ping命令。ping測试主机。
比方:ping localhost
你应该能在測试主机上看到相似的例如以下输出:
10/31-02:27:19.663643 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:19.663675 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:20.658378 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:20.658404 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:21.766521 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:21.766551 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:22.766167 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:22.766197 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 ^C*** Caught Int-Signal
(按ctrl+c结束)
然后你去查看/var/log/snort,你也会发现有被命令为snort.log.nnnnnn(nnnn代表数字),这些文件里包括的和屏幕上打印出来的是一样的信息。
祝贺。如今我们已经可以依据自己的规则显示警告信息了。
Barnyard
sudo apt-get install -y libmysqlclient-dev autoconf libtool
output unified2: filename snort.u2, limit 128
接下来安装和配置Barnyard:
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz依次运行:
tar zxvf barnyard2-2-1.13.tar.gz cd barnyard2-2-1.13 autoreconf -fvi -I ./m4
64bit和32bit机器分别运行下面:
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --with-mysql-includes=/usr/include/ ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu --with-mysql-includes=/usr/include/
继续:
make sudo make install
sudo cp /usr/local/etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2 sudo chown snort.snort /var/log/barnyard2
sudo cp schemas/create_mysql /usr/src
编辑:
sudo gedit /etc/snort/barnyard2.conf#227行 改为:
output alert_fast ( instead of output alert_fast: stdout )
output database: log, mysql, user=snort password=secret2 dbname=snort host=localhost
( 用你的snort用户的password取代secret2 ,接下来在MySQL中会用到secret2)
MySQL
[ 输入MySQL的rootpassword ]
在MySQL控制台依次输入下面内容(注意分号结尾):
create database snort;
create database archive;
grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;
set password for snort@localhost=PASSWORD('secret2');
grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;
flush privileges;
exit
use snort; source /usr/src/create_mysql; show tables; exit
Snort 和Barnyard 測试
<span style="font-size:12px;">sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D</span>
你不会看到输出结果。由于程序在后台执行的。
<span style="font-size:12px;">sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort</span><span style="font-size: 18.6666660308838px;"> </span>
应该能看到下面输出:
--== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com> Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1412527313 record_idx = 16 Opened spool file '/var/log/snort/snort.u2.1412527313' Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records Opened spool file '/var/log/snort/snort.u2.1412528990' Waiting for new data使用ctrl+c结束。
mysql -u snort -p -D snort -e "select count(*) from event"
应该会出现下面结果:
+----------+ | count(*) | +----------+ | 4 | +----------+
***假设出现少了一个sid-msg.map文件的错误。下面方式修复:
cd /usr/share/oinkmaster sudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"
BASE
sudo apt-get install libphp-adodb
继续改动配置文件:
编辑 "/etc/php5/apache2/php.ini", 找到这一行"error_reporting" ,改动它:
error_reporting = E_ALL & ~E_NOTICE
编辑/etc/apache2/apache2.conf 加入许可www/base :
----------------------------------------------------------------------------------------------------- <Directory /var/www/html/base> AllowOverride All Require all granted </Directory> -----------------------------------------------------------------------------------------------------
重新启动apache2 :
sudo service apache2 restart
安装BASE依赖:
sudo apt-get install php-pear sudo apt-get install libwww-perl sudo apt-get install php5-gd sudo pear config-set preferred_state alpha sudo pear channel-update pear.php.net sudo pear install --alldeps Image_Color Image_Canvas Image_Graph
假设得到下面错误: ' could not extract the package.xml file ' 。那么下面方法能够修复这个错误。
当下载了这6个pear包之后,我们手动安装 ( 3 + 3 dependencies ).
例如以下:
cd /build/buildd/php5-5.5.9+dfsg/pear-build-download ls
这里应该有6个 .tgz 包. 手动安装:
sudo tar zxf Image_Color*.tgz
sudo cp package.xml ./Image_Color*/ cd Image_Color* sudo pear install package.xml cd ..依照上面方法依次安装其余的五个包。
Image_Canvas
Numbers_Roman
Math_BigInteger
Numbers_Words
Image_Graph
BASE的安装:
cd /usr/src sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz sudo tar -zxf base-1.4.5.tar.gz sudo cp -r base-1.4.5 /var/www/html/base sudo chown -R www-data:www-data /var/www/html/base sudo service apache2 restart
BASE设置:
浏览器输入:http://localhost/base
(语言就选择默认的英文)
Step 1) 输入路径 : /usr/share/php/adodb
Step 2) Database Name : snort
Database Host : localhost
Database User Name: snort
Database Password : secret2(之前输入的)
( tick 'Use Archive Database' )
Archive Database Name : archive
Archive Database Host : localhost
Archive Database User Name : snort
Archive Database Password : secret2(之前输入的)
Step 3)
Full admin name ( xxx )
[GUI password] ( Secret3 )
Full admin name ( XXXX )
Step 4) 点击 ' Create baseAG'
Step 5) 点击 ' Now continue to Step 5 ' and login ( XXX/ secret3 )
然后ping主机的话。不出意外每3min就会跟新显示snort的信息。